https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78952#M19964 <P>Interesting. I think there was something wrong with the macros.conf file. I opened it to paste the contents, and it looked like this:</P> <PRE><CODE>[receive_event] definition = ( (event_id="DELIVER" AND source_id="STOREDRIVER") OR\ (event_id=1023) )\ iseval = 0 </CODE></PRE> <P>My other eval/macro was working that looked like this:</P> <PRE><CODE>[send_event] definition = ( (event_id="TRANSFER" AND source_id="ROUTING") OR (event_id=1033) ) iseval = 0 </CODE></PRE> <P>So, I modified the receive_event manually to look like this:</P> <PRE><CODE>[receive_event] definition = ( (event_id="DELIVER" AND source_id="STOREDRIVER") OR (event_id=1023) ) iseval = 0 </CODE></PRE> <P>And now it seems to be working.</P> Mon, 11 Apr 2011 23:32:53 GMT jgauthier 2011-04-11T23:32:53Z https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78950#M19962 <P>I am using a search macro in an eval and it returns all zeros. But, when I expand it, it functions as expected. Is that normal?</P> <P>ie:</P> <PRE><CODE> `get_all_email` | stats count(eval(`receive_event`)) as Sent by recipientlist </CODE></PRE> <P>This returns all zeros.</P> <PRE><CODE>`get_all_email` | stats count(eval(((event_id="DELIVER" AND source_id="STOREDRIVER") OR (event_id=1023)))) as Sent by recipientlist </CODE></PRE> <P>This works perfectly.</P> Mon, 11 Apr 2011 22:06:16 GMT https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78950#M19962 jgauthier 2011-04-11T22:06:16Z https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78951#M19963 <P>it would be helpful to see your macro definition/macros.conf file.</P> Mon, 11 Apr 2011 22:50:55 GMT https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78951#M19963 gkanapathy 2011-04-11T22:50:55Z https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78952#M19964 <P>Interesting. I think there was something wrong with the macros.conf file. I opened it to paste the contents, and it looked like this:</P> <PRE><CODE>[receive_event] definition = ( (event_id="DELIVER" AND source_id="STOREDRIVER") OR\ (event_id=1023) )\ iseval = 0 </CODE></PRE> <P>My other eval/macro was working that looked like this:</P> <PRE><CODE>[send_event] definition = ( (event_id="TRANSFER" AND source_id="ROUTING") OR (event_id=1033) ) iseval = 0 </CODE></PRE> <P>So, I modified the receive_event manually to look like this:</P> <PRE><CODE>[receive_event] definition = ( (event_id="DELIVER" AND source_id="STOREDRIVER") OR (event_id=1023) ) iseval = 0 </CODE></PRE> <P>And now it seems to be working.</P> Mon, 11 Apr 2011 23:32:53 GMT https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78952#M19964 jgauthier 2011-04-11T23:32:53Z https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78953#M19965 <P>that looks like a bug in the UI putting linebreaks into the macro.</P> Mon, 11 Apr 2011 23:49:03 GMT https://community.splunk.com/t5/Splunk-Search/stats-eval-and-search-macros/m-p/78953#M19965 gkanapathy 2011-04-11T23:49:03Z